As a consultant at
Trivadis, I am currently working for a customer who wants to secure their Kubernetes infrastructure. Part of this protection consists of not allowing data from a specific namespace to reach the internet. In the project, we have a private network, but connecting from Kubernetes to the internet is still possible by default.
In Kubernetes, there is the principle of
NetworkPolicies. These can be defined per namespace and allows to define ingress (what is allowed in?) and egress (what is allowed out?) rules.
The first rule is quickly written:
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-all-ingress
spec:
podSelector: {}
ingress:
- {}
policyTypes:
- Ingress
With this rule, we block all outgoing traffic. Unfortunately, it also does not allow DNS name resolutions within the cluster as well as connections to other namespaces. This means we would have to implement some whitelist rules. The
documentation shows how to do this.
When we deploy the NetworkPolicy shown above, nothing happens on AWS EKS for now. For the AWS Kubernetes service, we are still missing a component that needs to run on all nodes for the rules to be effective:
Calico
„Project Calico is a network policy engine for Kubernetes. With Calico network policy enforcement, you can implement network segmentation and tenant isolation.“
Once you know you need this component, you can install it as follows:
kubectl apply -f https://raw.githubusercontent.com/aws/amazon-vpc-cni-k8s/v1.7.5/config/v1.7/calico.yaml
You can always find the current URL on the
AWS Calico project page.
After Calico has been rolled out, it is best to restart the PODs within the namespace once to test the effects.
This article was also published on
LinkedIn